From patchwork Wed Nov  3 22:55:58 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Engelhardt <jengelh@medozas.de>
X-Patchwork-Id: 70086
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id C6735B6EED
	for <patchwork-incoming@ozlabs.org>;
	Thu,  4 Nov 2010 09:56:07 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753481Ab0KCW4B (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 3 Nov 2010 18:56:01 -0400
Received: from borg.medozas.de ([188.40.89.202]:51112 "EHLO borg.medozas.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752830Ab0KCW4A (ORCPT <rfc822;netdev@vger.kernel.org>);
	Wed, 3 Nov 2010 18:56:00 -0400
Received: by borg.medozas.de (Postfix, from userid 25121)
	id 5CAFEF0C32A61; Wed,  3 Nov 2010 23:55:58 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by borg.medozas.de (Postfix) with ESMTP id EDF2264E2;
	Wed,  3 Nov 2010 23:55:58 +0100 (CET)
Date: Wed, 3 Nov 2010 23:55:58 +0100 (CET)
From: Jan Engelhardt <jengelh@medozas.de>
To: kaber@trash.net
cc: davem@davemloft.net, netfilter-devel@vger.kernel.org,
	netdev@vger.kernel.org
Subject: Re: [PATCH 5/5] ipv4: netfilter: ip_tables: fix information leak to
	userland
In-Reply-To: <1288822372-21245-6-git-send-email-kaber@trash.net>
Message-ID: <alpine.LNX.2.01.1011032355020.31351@obet.zrqbmnf.qr>
References: <1288822372-21245-1-git-send-email-kaber@trash.net>
	<1288822372-21245-6-git-send-email-kaber@trash.net>
User-Agent: Alpine 2.01 (LNX 1266 2009-07-14)
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Wednesday 2010-11-03 23:12, kaber@trash.net wrote:

>From: Vasiliy Kulikov <segooon@gmail.com>
>
>Structure ipt_getinfo is copied to userland with the field "name"
>that has the last elements unitialized.  It leads to leaking of
>contents of kernel stack memory.
>
>Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
>Signed-off-by: Patrick McHardy <kaber@trash.net>
>---
> net/ipv4/netfilter/ip_tables.c |    1 +


But then we would also need this:


--------8<-------------
parent 93aa45607748d2ffa73f41a435dced6a2fd90cb5 (v2.6.36-rc3-1020-g93aa456)
commit 8aff3f67fa47f7d3211aea8bbef999554d6f65e5
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Wed Nov 3 23:55:18 2010 +0100

netfilter: ip6_tables: fix information leak to userspace

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 net/ipv6/netfilter/ip6_tables.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c683e9e..d13f893 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1137,6 +1137,7 @@ static int get_info(struct net *net, void __user *user,
 			private = &tmp;
 		}
 #endif
+		memset(&info, 0, sizeof(info));
 		info.valid_hooks = t->valid_hooks;
 		memcpy(info.hook_entry, private->hook_entry,
 		       sizeof(info.hook_entry));